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Abstract 

A  strand  is  a  sequence  of  events;  it  represents  either  the 
execution  of  legitimate  party  in  a  security  protocol  or  else 
a  sequence  of  actions  by  a  penetrator.  A  strand  space  is  a 
collection  of  strands,  equipped  with  a  graph  structure  gen¬ 
erated  by  causal  interaction.  In  this  framework,  protocol 
correctness  claims  may  be  expressed  in  terms  of  the  con¬ 
nections  between  strands  of  different  kinds. 

In  this  paper  we  develop  the  notion  of  a  strand  space. 
We  then  prove  a  generally  useful  lemma,  as  a  sample  re¬ 
sult  giving  a  general  bound  on  the  abilities  of  the  penetra¬ 
tor  in  any  protocol.  We  apply  the  strand  space  formalism 
to  prove  the  correctness  of  the  Needham-Schroeder-Lowe 
protocol.  Our  approach  gives  a  detailed  view  of  the  condi¬ 
tions  under  which  the  protocol  achieves  authentication  and 
protects  the  secrecy  of  the  values  exchanged.  We  also  use 
our  proof  methods  to  explain  why  the  original  Needham- 
Schroeder  protocol  fails. 

We  believe  that  our  approach  is  distinguished  from  other 
work  on  protocol  verification  by  the  simplicity  of  the  model 
and  the  ease  of  producing  intelligible  and  reliable  proofs  of 
protocol  correctness  even  without  automated  support. 


1  Introduction 

A  security  protocol  is  a  sequence  of  messages  between 
two  or  more  parties  in  which  encryption  is  used  to  provide 
authentication  or  to  distribute  cryptographic  keys  for  new 
conversations  [17].  Even  when  security  protocols  have  been 
developed  carefully  by  experts  and  reviewed  carefully  by 
other  experts,  they  are  often  found  later  to  have  flaws  that 
make  them  unusable  (see,  for  example,  [6,  11]).  In  many 
cases,  the  attacks  do  not  presuppose  any  weakness  in  the 
cryptosystem  being  used,  and  would  be  just  as  harmful  with 

*This  work  was  supported  by  the  National  Security  Agency  through 
US  Army  CECOM  contract  DAAB  07-96-C-E601.  Copyright  1998  IEEE. 
Published  in  Proceedings,  1998  IEEE  Symposium  on  Security  and  Privacy, 
3-6  May  1998  in  Oakland,  California. 


an  ideal  cryptosystem.  In  other  cases,  characteristics  of  the 
cryptosystem  and  characteristics  of  the  protocol  combine  to 
cause  protocol  failure  [16,  5,  18]. 

Analyzing  security  protocols  consists  mainly  in  two 
complementary  activities.  The  first  is  to  find  flaws  in  those 
protocols  that  are  not  correct,  and  the  second  is  to  estab¬ 
lish  convincingly  the  correctness  of  those  that  are.  These 
activities  are  interrelated,  because  the  discovery  of  a  flaw 
may  suggest  an  altered  protocol  that  we  may  wish  to  prove 
correct,  and  because  a  failure  to  prove  the  correctness  of  a 
protocol  may  suggest  a  particular  flaw. 

In  this  paper,  however,  we  focus  on  the  second  activity, 
proving  the  correctness  of  protocols  when  they  are  in  fact 
correct.  Moreover,  at  this  stage,  we  consider  only  protocol 
correctness  assuming  ideal  cryptography. 

Much  work  both  recently  (for  instance,  [1,  21,  24])  and 
of  an  earlier  vintage  (such  as  [7,3])  has  proposed  techniques 
for  proving  protocols  correct.  We  believe  that  the  approach 
presented  here  has  several  advantages.  First,  our  approach 
gives  a  clear  semantics  to  the  assumption  that  certain  data 
items,  such  as  nonces  and  session  keys,  are  fresh,  and  never 
arise  in  more  than  one  protocol  run.  Second,  our  approach 
works  with  an  explicit  model  of  the  possible  behaviors  of 
a  system  penetrator;  this  allows  us  to  develop  general  theo¬ 
rems  that  bound  the  abilities  of  the  penetrator,  independent 
of  the  protocol  under  study.  One  such  theorem  is  presented 
below  in  Section  3.2.  Third,  our  approach  allows  various 
notions  of  correctness,  involving  both  secrecy  and  authenti¬ 
cation,  to  be  stated  and  proved.  And  finally,  in  our  opinion, 
the  approach  leads  to  detailed  insight  into  the  reasons  why 
the  protocol  is  correct,  and  the  assumptions  required.  Proofs 
are  simple  and  informative:  they  are  easily  developed  by 
hand,  and  they  help  to  identify  more  exact  conditions  under 
which  we  can  rely  on  the  protocol. 

Our  basic  contribution  is  the  strand  space.  A  strand  is  a 
sequence  of  events  that  a  participant  may  engage  in.  For  a 
legitimate  participant,  each  strand  is  a  sequence  of  message 
sends  and  receives;  it  represents  the  actions  of  that  party 
(but  of  that  party  only,  not  its  presumed  interlocutor)  in  a 
particular  run  of  the  protocol,  with  specific  values  of  all  data 
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items  such  as  keys  and  nonces.  A  strand  for  a  penetrator  is 
a  sequence  of  message  sends  and  receives  possible  for  the 
penetrator.  Penetrator  strands  include  such  activities  as: 

•  receiving  a  symmetric  key  and  a  message  encrypted 
using  that  key,  and  then  sending  the  result  of  decrypt¬ 
ing  the  message; 

•  receiving  two  messages  and  sending  the  result  of  con¬ 
catenating  them; 

•  sending  out  a  guessable  data  item  such  as  a  name;  and 
so  on. 

A  strand  space  is  a  set  of  strands  consisting  of  strands  for 
the  various  legitimate  protocol  parties,  together  with  pene¬ 
trator  strands. 

A  bundle  consists  of  a  number  of  strands — legitimate 
or  otherwise — hooked  together  where  one  strand  sends  a 
message  and  another  strand  receives  that  same  message. 
Typically,  for  a  protocol  to  be  correct ,  each  such  bundle 
must  consist  of  one  strand  for  each  of  the  legitimate  par¬ 
ties,  all  agreeing  on  the  participants,  nonces,  and  session 
keys  [  14,  23,  27],  Penetrator  strands  may  also  be  entangled 
in  a  bundle,  even  in  a  correct  protocol,  but  they  do  not  pre¬ 
vent  the  legitimate  parties  from  agreeing  on  the  data  values, 
or  from  maintaining  the  secrecy  of  the  values  chosen. 

Protocol  correctness  typically  depends  essentially  on  the 
freshness  of  data  items  such  as  nonces  and  session  keys.  For 
this  reason,  the  strand  spaces  that  concern  us  are  not  full,  in 
the  sense  that  they  do  not  contain  all  the  strands  that  would 
arise  if  every  participant  used  every  possible  data  item.  A 
strand  space  models  the  fact  that  some  values  occur  only 
freshly  by  including  only  one  strand  originating  that  data 
item  by  initially  sending  a  message  containing  it.  Many 
strands,  by  contrast,  may  stand  ready  to  combine  with  the 
originating  strand  by  receiving  the  message  and  processing 
its  contents  further.  A  strand  space  will  also  model  the  as¬ 
sumption  that  some  values  are  impossible  for  a  penetrator 
to  guess;  in  essence,  the  space  simply  lacks  any  penetrator 
strand  in  which  this  value  is  sent  without  having  first  been 
received. 

In  this  paper,  we  will  develop  the  basic  machinery  of 
strand  spaces  (Section  2).  This  machinery  includes  a  par¬ 
tial  order  that  models  causal  contribution,  and  justifies  an 
induction-like  proof  method  (Section  2.2).  We  then  develop 
our  model  of  the  penetrator  (Section  3),  including  a  sim¬ 
ple  but  useful  theorem  that  gives  a  general  bound  on  what 
the  penetrator  can  do,  regardless  of  the  protocol  being  mod¬ 
eled  (Section  3.2).  In  Section  4,  we  study  the  Needham- 
Schroeder-Lowe  public  key  protocol  [17,  11,  12]  as  an  ex¬ 
ample,  proving  both  an  authentication  result  (Section  4.2) 
and  a  secrecy  result  (Section  4.4). 

A  technical  report  [25]  develops  more  powerful  bounds 
on  the  penetrator,  akin  to  the  one  in  Section  3.2.  These 


are  then  used  to  prove  authentication  and  secrecy  results  for 
two  other  protocols,  namely  the  Otway-Rees  protocol  and 
the  Yahalom  protocols.  In  each  case,  we  discover  detailed 
(and  unexpected)  information  on  the  exact  conditions  under 
which  the  protocol  is  correct. 

2  Strand  Spaces 

In  this  section,  we  will  introduce  strand  spaces  and  re¬ 
lated  notions  (Section  2.1).  A  bundle  is  a  portion  of  a  strand 
space  large  enough  to  represent  a  full  protocol  exchange; 
it  has  a  natural  causal  precedence  relation  relative  to  which 
inductive  arguments  may  be  carried  out  (Section  2.2).  The 
terms  that  we  will  consider  in  the  present  paper  are  de¬ 
scribed  in  Section  2.3;  a  less  restrictive  treatment  is  avail¬ 
able  in  [25],  but  would  merely  distract  from  the  main  points 
here.  We  finish  this  section  by  summarizing  some  of  the 
notions  of  correctness  that  are  natural  to  state  and  prove  in 
our  context  (Section  2.4). 

2.1  Basic  Notions 

Consider  a  set  A,  the  elements  of  which  are  the  possi¬ 
ble  messages  that  can  be  exchanged  between  principals  in  a 
protocol.  We  will  refer  to  the  elements  of  A  as  terms.  In  the 
applications  that  we  consider,  the  set  A  has  more  structure, 
but  in  this  section  we  assume  that  at  least  a  subterm  relation 
is  defined  on  A.  1 1  IZ  t  means  t\  is  a  subterm  of  t.  In  a  pro¬ 
tocol,  principals  can  either  send  or  receive  terms.  We  will 
represent  sending  a  term  as  the  occurrence  of  that  term  with 
positive  sign,  and  receiving  a  term  as  its  occurrence  with  a 
negative  sign. 

Definition  2.1  A  signed  term  is  a  pair  (a,  a)  with  a  G  A 
and  a  one  of  the  symbols  +,  — .  We  will  write  a  signed 
term  as  +t  or  —t.  (±A)*  is  the  set  of  finite  sequences  of 
signed  terms.  We  will  denote  a  typical  element  o/(± A)*  by 
{{(7i,ai),  . . .  ,  (on,  an) ). 

By  abuse  of  language,  we  will  still  treat  signed  terms  as 
ordinary  terms,  for  instance  as  having  subterms. 

Definition  2.2  A  strand  space  is  a  set  £  with  a  trace  map¬ 
ping  tr  :  £  — >  (±A)*. 

In  particular  applications  of  the  theory,  the  mapping  tr  need 
not  be  injective,  because  we  may  want  to  distinguish  be¬ 
tween  various  instances  of  the  same  trace.  For  instance,  to 
model  authentication  properties  of  certain  protocols  it  may 
be  necessary  to  distinguish  identical  traces  originating  from 
different  principals,  or  to  model  simple  replay  attacks  we 
may  need  to  distinguish  identical  traces  originating  succes¬ 
sively  from  the  same  principal. 

Fix  a  strand  space  £. 
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1.  A  node  is  a  pair  (s,i),  with  s  G  S  and  i  an  integer 
satisying  1  <  i  <  length(tr(s)).  The  set  of  nodes  is 
denoted  by  Af .  We  will  say  the  node  (s,  i)  belongs  to 
the  strand  s.  Clearly,  every  node  belongs  to  a  unique 
strand. 

2.  If  n  =  (s,i)  G  Af  then  index(/r)  =  i  and  strand(n)  = 
s.  Define  term(n)  to  be  (tr(s)));,  i.e.  the  ith  signed  term 
in  the  trace  of  s.  Similarly,  uns_term(n)  is  ((tr{s)),)2, 
i.e.  the  unsigned  part  of  the  ith  signed  term  in  the  trace 
of  s. 

3.  If  ri\ .  n-2  G  Af ,  ni  — >  no  means  term(ni)  =  +a  and 
term(/i2 )  =  —a.  It  means  that  node  n  i  sends  the  mes¬ 
sage  a,  which  is  received  by  no ,  creating  a  causal  link 
between  their  strands. 

4.  If  m ,  no  G  Af,  then  m  no  means  m ,  no  occur  on 
the  same  strand  with  index(ni)  =  indexf^)  —  1.  It 
expresses  that  n\  is  an  immediate  causal  predecessor 
of  no  on  the  strand. 

5.  An  unsigned  term  t  occurs  in  n  G  Af  iff  t  IZ  term(n). 

6.  An  unsigned  term  t  originates  on  n  G  Af  iff:  term(n) 
is  positive;  t  IZ  term(n);  and  whenever  n'  precedes  n 
on  the  same  strand,  t  term(n'). 

7.  An  unsigned  term  t  is  uniquely  originating  iff  t  origi¬ 
nates  on  a  unique  n  G  Af. 

If  a  term  t  originates  uniquely  in  a  particular  strand  space, 
then  it  can  play  the  role  of  a  nonce  or  session  key  in  that 
structure. 

Af  becomes  an  ordered  graph  with  both  sets  of  edges 
n i  — )•  no  and  ni  no. 

2.2  Bundles  and  Causal  Precedence 

A  bundle  is  a  finite  subgraph  of  this  graph,  for  which  we 
can  regard  the  edges  as  expressing  the  causal  dependencies 
of  the  nodes. 

Definition  2.3  Let  C  be  a  set  of  edges,  and  let  Afc  be  the  set 
of  nodes  incident  with  any  edge  in  C.  C  is  a  bundle  if: 

1.  C  is  finite. 

2.  If  ni  G  Afc  and  term(n i)  is  negative,  then  there  is  a 
unique  no  such  that  no  — >  m  G  C. 

3.  If  ni  G  Afc  and  no  m  then  no  =>-  ni  G  C. 

4.  C  is  acyclic. 

Notational  Convention  2.4  A  node  n  is  in  a  bundle  C, 
written  n  G  C,  if  n  G  Afc;  a  strand  s  is  in  a  bundle  if 
all  of  its  nodes  are  in  Afc- 


Definition  2.5  Suppose  that  S  is  a  set  of  edges,  i.e.  a  subset 
of  the  union  of  -G  and  =A,  and  let  Afs  be  the  set  of  nodes 
incident  with  any  edge  in  S. 

Then  As  is  the  transitive  closure  of  S,  and  A5  is  the 
reflexive,  transitive  closure  of  S;  each  is  a  subset  of  Afs  x 
Afs  • 

n  -<s  n'  means  that  there  is  a  sequence  of  one  or  more 
edges  (of  either  kind)  belonging  to  S  leading  from  n  to 
Similarly,  n  <s  n'  means  that  there  is  a  sequence  of  zero 
or  more  edges  belonging  to  S  leading  from  n  to  n' .  In  case 
S  is  a  bundle,  fis  is  a  partial  ordering.  We  regard  it  as 
expressing  causal  precedence,  because  n  -<5  n'  holds  just 
in  case  n’ s  occurrence  contributes  to  allowing  n'  to  occur. 

Lemma  2.6  Suppose  C  is  a  bundle.  Then  fc  is  a  partial  or¬ 
der ,  i.e.  a  reflexive,  antisymmetric,  transitive  relation.  Every 
non-empty  subset  of  the  nodes  in  C  has  fie- minimal  mem¬ 
bers. 

When  a  bundle  C  is  understood,  we  will  simply  write  A. 
Similarly,  “minimal”  will  mean  Ac-minimal. 

Most  of  our  arguments  turn  on  the  Ac-minimal  elements 
in  some  set  of  nodes.  These  arguments  are  motivated  by  the 
question,  “What  did  he  know,  and  when  did  he  know  it?” 
The  existence  of  minimal  members  in  non-empty  sets  serves 
as  a  kind  of  induction  principle,  an  observation  that  clari¬ 
fies  the  relation  of  our  approach  to  Paulson’s  and  Schnei¬ 
der’s  [21,  24], 

Lemma  2.7  Suppose  C  is  a  bundle,  and  suppose  S  is  a  set 
of  nodes  such  that  unsJermfm)  =  unsJerm(m')  implies 
that  m  G  S  iff  m'  G  S,  for  all  nodes  m,  m' .  If  n  is  a 
fic-minimal  member  of  S,  then  the  sign  of  n  is  positive. 

PROOF.  If  term(n)  were  negative,  then  by  the  bundle  prop¬ 
erty,  n'  — >-  n  for  some  n'  G  C  and  sign  apart,  term(n)  = 
term(n').  Hence,  n'  G  S,  violating  the  minimality  property 
ofn.  ■ 

Lemma  2.8  Suppose  C  is  a  bundle,  t  G  A  and  n  G  C  is  a 
fic-minimal  element  of  {m  G  C  :  t  IZ  term(m)}.  The  node 
n  is  an  originating  occurrence  for  t. 

PROOF.  By  Lemma  2.7 ,  the  sign  of  n  is  positive.  If  n!  A  n 
lies  on  the  strand  of  n,  then  n'  G  C,  so  by  the  minimality 
property  ofn,  t  term(n').  Thus  n  is  originating  for  t.  ■ 

2.3  Terms  and  Encryption 

We  will  now  specialize  the  set  of  terms  A.  In  particular 
we  will  assume  given: 

•  A  set  T  of  texts  (representing  the  atomic  messages). 
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•  A  set  K  of  cryptographic  keys  disjoint  from  T, 
equipped  with  a  unary  operator  inv  :  K  — >  K.  We 
assume  that  inv  maps  each  member  of  a  key  pair  for  an 
asymmetric  cryptosystem  to  the  other,  and  that  it  maps 
a  symmetric  key  to  itself. 

•  Two  binary  operators 

encr  :  K  x  A  — »  A 
join  :  A  x  A  — »  A 

As  usual,  we  will  write  inv(A')  as  K~l ,  encr (K,m)  as 
{m}K ,  and  join(a,  b)  as  a  b. 

The  proofs  in  this  paper  will  use  an  assumption  we  will 
call  the  assumption  of  free  encryption;  many  other  authors 
(e.g.  [13,  15,  21])  make  similar  assumptions.  It  stipulates 
that  a  ciphertext  can  be  regarded  as  a  ciphertext  in  just  one 
way: 

{tu}k  =  {m'}K'  =A  rn  =  m!  A  K  =  K' 

For  the  purposes  of  this  paper  we  will  make  a  stronger  as¬ 
sumption,  namely  that  A  is  the  algebra  freely  generated 
from  T  and  K  by  the  two  operators  encr  and  join,  in  the 
sense  that  these  two  operators  are  injective,  and  have  range 
disjoint  from  each  other  and  from  T  and  K.  This  is  more 
than  would  be  needed  for  our  method  [25],  but  it  leads  to 
the  simplest  exposition  of  the  main  points. 

Attacks  that  might  exist  if  there  are  terms  that  may  be 
“read”  as  having  more  than  one  form  are  referred  to  as  type 
flaw  attacks  [4],  Some  type  flaw  attacks  seem  implausible, 
in  the  sense  that  most  implementations  would  not  be  vul¬ 
nerable  to  them,  while  others  are  more  troublesome.  Type 
flaws  could  be  modeled  by  extending  strand  spaces  in  vari¬ 
ous  possible  ways. 

The  subterm  relation  C  is  defined  inductively,  so  that: 

•  a  c  t  for  t  £  T  iff  a  =  t; 

•  a  C  K  for  K  £  K  iff  a  =  K; 

•  a  c  {g}K  iff  a  IZ  g  or  a  =  {g}n; 

•  a  C  g  h  iff  a  C  g,  a  C  h  or  a  =  g  h. 

We  should  emphasize  that,  for  K  £  K,  K  IZ  {g}x  only 
if  K  IZ  g  already.  Restricting  subterms  in  this  way  re¬ 
flects  an  assumption  about  the  penetrator’s  capabilities,  to 
wit,  that  keys  can  be  obtained  from  cyphertext  only  if  they 
are  embedded  in  the  text  that  was  encrypted.  This  might 
not  always  be  the  case — for  instance,  if  a  dictionary  attack 
is  possible — but  it  is  the  assumption  we  will  make  here. 

This  notion  of  subterm  does  not  always  mesh  perfectly 
with  the  definition  of  origination  and  unique  origination, 
which  refers  to  the  subterm  relation  (Section  2.1,  Clauses  6 


and  7).  In  some  cases  [26],  it  is  more  natural  to  use  a  no¬ 
tion  of  origination  referring  to  the  larger  relation  c';  that 
relation  would  be  defined  so  that 

a  c'  {g}K  iff  a  □'  g  V  a  =  K  V  a  =  {g}K 

2.4  Notions  of  Correctness 

Gavin  Lowe  studies  a  range  of  authentication  properties 
in  [14];  strand  spaces  are  a  natural  model  for  stating  and 
proving  his  agreement  properties.1  A  protocol  guarantees  a 
participant  B  (say,  as  the  responder)  agreement  for  certain 
data  items  x  if: 

each  time  a  principal  B  completes  a  run  of  the 
protocol  as  responder  using  x ,  apparently  with  .4, 
then  there  is  a  unique  run  of  the  protocol  with  the 
principal  .4  as  initiator  using  x,  apparently  with 
B. 

A  weaker  non-injective  agreement  does  not  ensure  unique¬ 
ness,  but  requires  only: 

each  time  a  principal  B  completes  a  run  of  the 
protocol  as  responder  using  x ,  apparently  with  .4, 
then  there  exists  a  run  of  the  protocol  with  the 
principal  .4  as  initiator  using  x ,  apparently  with 
B. 

Non-injective  agreement  is  weaker  because  it  does  not  pre¬ 
vent  the  other  party  A  from  being  duped  into  executing  mul¬ 
tiple  runs  matching  a  single  run  by  B. 

We  can  prove  non-injective  agreement  by  establishing 
that,  whenever  a  bundle  C  contains  a  responder  strand  using 
x,  then  C  also  contains  an  initiator  strand  using  x.  We  can 
establish  agreement  by  showing  that  C  contains  a  unique 
initiator  strand  using  x.  We  will  illustrate  these  properties 
in  Propositions  4.2  and  4.8. 

A  simple  notion  of  secrecy,  sufficient  for  our  purposes 
here,  for  a  data  value  x  may  also  be  easily  stated.  We  stipu¬ 
late  that  no  node  n — whether  a  regular  node  or  a  penetrator 
node — ever  has  x  unprotected  as  its  term.  Thus,  a  value  x 
is  secret  in  a  strand  space  S  if,  for  every  bundle  C  in  E,  and 
every  node  n  £  C,  term(n)  x.  We  illustrate  this  property 
in  Proposition  4.10. 

This  notion  of  secrecy  concerns  only  what  is  “said  on  the 
wire.”  In  this  sense,  a  value  is  secret  if  the  non-penetrator 
strands  never  emit  it,  and  the  penetrator  can  never  derive 
(and  emit)  it  from  what  they  do  emit.  Legitimate  protocol 
participants  may  “know”  a  secret  value  in  the  sense  of  car¬ 
rying  out  computations  that  depend  on  it,  so  long  as  their 
behavior  in  the  protocol  does  not  include  disclosing  it  in 
public. 

'These  are  akin  to  the  correspondence  properties  of  Woo  and  Lam  [27]. 
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More  stringent  notions  of  secrecy  are  also  possible,  as 
for  instance  the  information  flow  security  properties,  and 
may  be  fruitfully  applied  to  security  protocols  [8]. 

3  The  Penetrator 

The  penetrator’s  powers  are  characterized  by  two  ingre¬ 
dients,  namely  a  set  of  keys  known  initially  to  the  penetrator 
and  a  set  of  penetrator  strands  that  allow  the  penetrator  to 
generate  new  messages  from  messages  he  intercepts. 

A  penetrator  set  consists  of  a  set  of  keys  Kp.  It  con¬ 
tains  the  keys  initially  known  to  the  penetrator.  Typically  it 
would  contain:  all  public  keys;  all  private  keys  of  penetra- 
tors;  and  all  symmetric  keys  Kpx ,  Kxp  initially  shared  be¬ 
tween  the  penetrator  and  principals  playing  by  the  protocol 
rules.  It  may  also  contain  “lost  keys”  that  became  known 
to  the  penetrator,  either  because  a  principal  was  careless,  or 
else  because  the  penetrator  succeeded  in  some  cryptanaly¬ 
sis. 

3.1  Penetrator  Strands 

The  atomic  actions  available  to  the  penetrator  are  en¬ 
coded  in  a  set  of  penetrator  traces.  They  summarize  his 
ability  to  discard  messages,  generate  well  known  messages, 
piece  messages  together,  and  apply  cryptographic  opera¬ 
tions  using  keys  that  become  available  to  him.  A  protocol 
attack  typically  requires  hooking  together  several  of  these 
atomic  actions. 

Definition  3.1  A  penetrator  trace  is  one  of  the  following: 
M.  Text  message:  (+t)  where  i  6  T 
F.  Flushing:  (—g) 

T.  Tee:  (-g,  +g,  +g) 

C.  Concatenation:  (—g,  —h,  +gh) 

S.  Separation  into  components :  {—g  h,  +g,  +h) 

K.  Key:  (+K)  where  K  £  Kp. 

E.  Enciyption:  (-K,  —h,  +{/j}a')- 

D.  Decryption:  {~K-\  ~{h}K,  +h). 

This  set  of  penetrator  traces  gives  the  penetrator  powers 
similar  to  those  in  other  approaches,  e.g.  [13,  21],  They 
ensure  that  the  values  that  may  be  emitted  by  the  penetrator 
are  closed  under  joining,  encryption,  and  the  relevant  “in¬ 
verses.” 

It  is  also  possible  to  extend  the  set  of  penetrator  traces 
given  here  if  it  is  desired  to  model  some  special  ability  of  the 
penetrator.  That  requires  no  essential  change  to  our  overall 


framework,  although  the  proofs  in  this  paper  would  then 
need  to  be  modified  to  take  account  of  the  additional  pen¬ 
etrator  traces.  Our  theorems  characterize  a  penetrator  with 
just  the  powers  we  have  described;  a  penetrator  with  addi¬ 
tional  computational  or  cryptanalytic  abilities  may  not  be 
subject  to  the  same  limitations. 

Definition  3.2  An  infiltrated  strand  space  is  a  pair  (S,  V) 
with  X  a  strand  space  and  PCS  such  that  tr(p)  is  a  pene¬ 
trator  trace  for  all  p  £  V. 

A  strand  s  £  X  is  a  penetrator  strand  if  it  belongs  to 
V,  and  a  node  is  a  penetrator  node  if  the  strand  it  lies  on 
is  a  penetrator  strand.  Otherwise  we  will  call  it  a  non- 
penetrator  or  regular  strand  or  node. 

A  node  n  is  a  M,  F,  etc.  node  if  n  lies  on  a  penetrator 
strand  with  a  trace  of  kind  M,  F,  etc. 

We  would  not  expect  an  infiltrated  strand  space  to  real¬ 
ize  all  of  the  penetrator  traces  of  type  M.  In  that  case,  the 
space  could  not  model  unguessable  nonces.  The  more  use¬ 
ful  spaces  X  lack  M-strands  for  many  text  values,  which  the 
legitimate  participants  can  use  as  fresh  nonces. 

3.2  A  Bound  on  the  Penetrator 

Because  the  powers  of  the  penetrator  are  defined  by  the 
penetrator  keys  and  the  penetrator  strands,  they  are  inde¬ 
pendent  of  the  choice  of  a  particular  protocol  to  be  proved 
correct.  We  can  accordingly  prove  general  facts  about  the 
penetrator’s  powers,  re-using  them  whenever  we  become  in¬ 
terested  in  a  new  protocol.  In  [25],  we  develop  several  pow¬ 
erful  theorems  about  the  penetrator,  which  are  of  use  in  all 
three  of  the  protocols  studied  there.  Here,  we  will  prove  a 
simple  theorem  that  is  useful  in  the  example  we  will  turn  to 
next,  namely  the  Needham-Schroeder-Lowe  protocol. 

The  proof  of  this  theorem  is  typical  of  how  we  use 
Lemma  2.6.  By  “S  \  T”  we  mean  the  set  difference  of  S 
and  T. 

Proposition  3.3  Let  C  be  a  bundle,  and  let  I\  £  K  \  K-p. 

If  K  never  originates  on  a  regular  node,  then  K 
term(p)  for  any  penetrator  node  p  £  C. 

PROOF.  Consider  the  set  S  =  {n  £  C  :  K  C  term('n)}. 
Suppose  (to  derive  a  contradiction)  that  S  is  non-empty. 
Then  S  has  members  that  are  minimal  relative  to  <c 
(Lemma  2.6).  By  Lemma  2.8,  any  Ae-minimal  members  of 
S  are  originating  occurrences  of  K.  Hence,  by  the  assump¬ 
tion,  they  are  all  penetrator  nodes.  By  Lemma  2.7,  they  are 
all  positive  nodes.  We  will  now  examine  the  possible  cases 
for  positive  penetrator  nodes. 

M.  The  strand  has  the  form  (+t)  where  t  £  T,  but  K  t. 

F.  The  strand  has  the  form  {—<?),  and  thus  lacks  any  positive 
nodes. 
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T.  The  strand  has  the  form  (—g,  +g,  +g),  so  no  value 
originates  on  the  positive  nodes. 

C.  The  strand  has  the  form  (—g,  —h,  +gh),  so  no  value 

originates  on  the  positive  node. 

S.  The  strand  has  the  form  {— gh ,  +g,  +h),  so  no  value 
originates  on  the  positive  nodes. 

K.  The  strand  has  the  form  (+A'o)  where  Ko  £  K-p.  But 
K  IZ  Kq  iff  K  =  Ko,  contrary  to  the  assumption  that 
K  £  K  \  K-p. 

E.  The  strand  has  the  form  (—Ko,  —h,  +{/t}jf0).  By  the 
definition  of  C,  a  C  {/i}a0  iff  a  IZ  h  or  a  =  {/i}a'0- 
Hence,  no  key  can  occur  in  the  positive  node  without 
having  occurred  in  a  previous  node. 

D.  The  strand  has  the  form  (—Kf' ,  —  {/(}  k„  ■  +h).  By 

the  definition  of  C,  a  C  h  only  if  a  IZ  {h} k0,  so 
no  key  can  occur  in  the  positive  node  without  having 
occurred  in  a  previous  node. 

Hence  S  is  in  fact  empty.  But  if  S  is  empty,  then  K  \f 
term(n)  for  any  n  £  C,  hence  certainly  K  f  term(p)  for 
penetrator  nodes  p  G  C.  ■ 

This  proof  method  is  characteristic:  it  successively  con¬ 
siders  the  minimal  elements  in  a  set,  considers  whether 
they  are  regular  nodes  or  penetrator  nodes,  and  finally  takes 
cases  on  the  different  forms  of  penetrator  strands. 

4  The  Needham-Schroeder-Lowe  Protocol 

This  protocol  was  proposed  by  Gavin  Lowe  [  1 2]  as  a  way 
to  fix  the  public -key  protocol  proposed  by  Needham  and 
Schroeder  [17],  which  he  had  discovered  to  be  flawed  [11]. 
In  the  form  Lowe  considers,  the  protocol  assumes  that  each 
participant  has  somehow  discovered  the  other’s  public  key. 

L  A  — >  B:  {NaA}KB 

2.  B  — ■»  A:  {Na  Nb  B}Ka 

3.  A  >  B:  {Nb}m 

The  intended  result  of  this  protocol  is  that  the  two  partic¬ 
ipants  should  come  to  share  access  to  the  values  Na  and 
Nb,  each  associating  these  values  with  the  other  participant, 
and  no  other  party  should  be  in  possession  of  them.  The 
protocol  might  be  used  in  a  context  where  the  two  values 
are  hashed  together  to  yield  a  shared  symmetric  key  for  an 
encrypted  session,  for  instance.  This  protocol  differs  from 
the  original  Needham-Schroeder  public  key  protocol  only 
in  message  2;  in  the  original  protocol,  B’ s  name  is  not  in¬ 
cluded. 

In  [12],  Lowe  proves  the  correctness  of  the  revised  pro¬ 
tocol,  showing  that  any  attack  against  the  revised  protocol 


could  be  realized  using  just  two  runs  of  the  protocol.  The 
FDR  model  checker  discloses  that  no  attack  exists  on  such 
a  small  system;  this  result  is  confirmed  by  examining  the 
possible  forms  of  an  attack.  In  this  section  we  will  give  a 
different  proof  using  the  strand  space  approach. 

We  specialize  the  term  algebra  somewhat,  equipping  it 
with: 

•  A  set  of  names  Tname  C  T.  We  will  use  variables  such 
as  .4,  B  to  range  over  Tname. 

•  A  mapping  K  :  Tname  — >  K.  This  is  the  mapping 
that  associates  a  public  key  with  each  principal.  We 
will  follow  tradition  by  writing  K(A)  in  the  form  K  4. 
We  will  assume  that  this  function  is  injective,  so  that 
if  Ka  =  Kb,  then  A  =  B.  The  protocol  does  not 
achieve  its  authentication  goals  unless  the  mapping  K 
is  injective. 

4.1  NSL  Strand  Spaces 

Definition  4.1  An  infiltrated  strand  space  E.  V  is  an  NSL 
space  ifTj  is  the  union  of  three  kinds  of  strands: 

1.  Penetrator  strands  s  £  V; 

2.  “Initiator  strands"  with  trace  lnit[A,B,Na,Nb],  de¬ 
fined  to  be: 

(+{Na  A}Kb  ,  —{Na  Nb  B}Ka  ,  +{Nb}KB ) 
where  A,B  G  T name,  Ka .  Nb  £  T  but  Na  f  Tname ■ 

3.  Complementary  “responder  strands’’  with  trace 
Resp[A,  B,  Na,  Nb],  defined  to  be: 

(~{NaA}KB,  +{NaNbB}KA,  ~{Nb}KB) 
where  A,B  £  Tname,  Na,Nb  £  T  but  Nb  (f  Tname. 

If  s  is  a  regular  strand  with  trace  Init [A,  B,  Na,  Nb]  or 
Resp[,4,  B,  Na,  Nf],  then  we  refer  to  A  and  B  as  the  initia¬ 
tor  and  the  responder  of  s  (respectively),  and  to  Na  and  Nb 
as  the  initiator’s  value  and  responder’s  value  (respectively). 
The  intention  is  that  these  values  should  be  nonces,  in  the 
sense  of  texts  uniquely  originating  in  E.  Note  that  given 
any  strand  s  in  E,  we  can  uniquely  classify  it  as  a  penetra¬ 
tor  strand,  an  initiator’s  strand,  or  a  respondent’s  strand  just 
by  the  form  of  its  trace.  In  particular,  given  an  NSL  space 
E,  we  can  read  off  which  strands  are  penetrator  strands,  so 
that  (S,  V)  is  uniquely  determined.  Hence  we  can  omit  V 
safely. 
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4.2  Agreement:  The  Responder’s  Guarantee 
Proposition  4.2  Suppose: 


{NaA}KB 


1.  Y.  is  an  NSL  space  and  C  is  a  bundle  containing  a  re¬ 
sponder's  strand  s  with  trace  Respf.L  B,  Na,  Nb\; 

2.  Kf 1  v;and 

3.  Na  f  Nb  and  Nb  is  uniquely  originating  in  S. 

Then  C  contains  an  initiator’s  strand  t  with  trace 
Init[A,  B,  Na,Nb]- 

We  will  prove  this  using  a  sequence  of  lemmas.  Throughout 
the  remainder  of  this  section,  we  will  fix  an  arbitrary  S,  C, 
s,  A,  B,  Na,  and  Nb  satisfying  the  hypotheses  of  Proposi¬ 
tion  4.2.  The  node  { s ,  2)  outputs  the  value  {7Va  Nf,  B}ka  ; 
for  convenience  we  will  refer  to  this  node  as  no ,  and  to  its 
term  as  vo ■  The  node  (s,  3)  receives  the  value  {Nb}KB  1  we 
will  refer  to  this  node  as  n 3  and  its  term  as  v;> .  We  will  iden¬ 
tify  two  additional  nodes  m  and  n 2  during  the  course  of  the 
proof,  such  that  no  <  0.1  A  no  <  n  -> . 

Lemma  4.3  A’/,  originates  at  no- 

PROOF.  By  the  assumptions,  Nb  IZ  i’o,  and  the  sign  of 
no  is  positive.  Thus,  we  need  only  check  that  Nb  n', 
where  n'  is  the  node  (s,  1}  preceding  n0  on  the  same  strand. 
Since  term(n')  =  {Na  A}kb  >  we  need  to  check  that  Ni,  f 
Na,  which  is  a  hypothesis,  and  Nb  f  A,  which  follows 
from  the  stipulation — in  Definition  4.1  Clause  3 — that  the 
responder's  value  not  be  in  Tname.  ■ 

Next  comes  the  main  lemma,  which  establishes  that  the 
crucial  step  is  taken  by  a  regular  strand  and  not  a  penetrator 
strand.  As  usual,  it  considers  the  ^-minimal  members  of 
a  set  of  nodes.  The  content  of  the  lemma  is  represented  in 
Figure  1. 

Lemma  4.4  The  set  S  =  {n  G  C  :  Nb  IZ  term(n)  A  vo 
term(n)}  has  a  A-minimal  node  no.  The  node  no  is  regular, 
and  the  sign  of  no  is  positive. 

PROOF.  Because  n 3  G  C,  and  n 3  contains  Ni,  but  not  as 
a  sub  term  of  vq,  S  is  non-empty.  Hence  S  has  (at  least)  a 
^-minimal  element  no  by  Lemma  2.6.  The  sign  of  no  is 
positive  by  Lemma  2.7 . 

Can  no  lie  on  a  penetrator  strand  pi  Let  us  examine  the 
possible  cases  for  positive  penetrator  nodes,  according  to 
the  form  of  the  trace  of  p.  We  will  consider  case  S  last. 

M.  The  trace  tr(p)  has  the  form  (+t)  where  t  G  T;  so 
we  must  have  1  =  A), .  In  this  case  Nb  originates  on 
this  strand.  But  that  is  impossible,  as  Nb  originates 
uniquely  on  no  (Lemma  4.3). 

F.  The  trace  tr(p)  has  the  form  (—<?),  and  thus  lacks  any 
positive  nodes. 


(s,  1) 


{Na  Nb  A}Ka 


Figure  1.  Regular  Node  n-2:  Minimal  in  S 

T.  The  trace  tr(p)  has  the  form  {—g,  Ag,  +g),  so  the  pos¬ 
itive  nodes  are  not  minimal  occurrences. 

C.  The  trace  tr(p)  has  the  form  (—g,  —h,  +gh),  so  the 

positive  node  is  not  a  minimal  occurrence. 

K.  The  trace  tr(p)  has  the  form  (+A’o)  where  A’o  G  K-p. 
But  Nb  A’o,  so  this  case  does  not  apply. 

E.  The  trace  tr (p)  has  the  form  {— A’o,  —h,  +{h}K0)- 
Suppose  Nb  c  {h}Ko  A  v0  {h}K().  Since  Nb  f 
{/i}a0,  Nb  IZ  h.  Moreover,  v0  h,  so  the  positive 
node  is  not  minimal  in  S. 

D.  The  trace  tr(p)  has  the  form  {— Kf1,  — { Ii}k0 ,  +h). 

If  the  positive  node  is  minimal  in  S ,  then  v(i  \f  h  but 
vq  IZ  { h }  k,  .  Hence  (using  the  assumption  of  free 
encryption)  h  =  Na  Nb  B  and  A’o  =  K 4.  Thus, 
there  exists  a  node  m  (the  first  on  this  strand)  with 
term(m)  =  KA  1 .  Since  by  assumption,  A’^1  f  Kp, 
we  may  apply  Proposition  3.3  to  infer  that  A’  (  1  orig¬ 
inates  on  a  regular  node.  However,  no  initiator  strand 
or  responder  strand  originates  A  J 1 . 

S.  The  trace  tr(p)  has  the  form  (—g  h,  +g,  +h).  Assume 
term  (n 2 )  =  g\  there  is  a  symmetrical  case  if  term  (no )  =  h. 
Because  no  G  S ,  Nb  IZ  g  and  vq  g.  (Note:  by  the 
minimality  of  no ,  we  must  have  vq  IZ  gh,  so  vq  C  h,  as  vo 
is  an  encrypted  value,  not  a  concatenated  value.) 

Let  T  =  {in  G  C  :  m  -<  no  A  gh.  IZ  term(m)}.  Every 
member  of  T  is  a  penetrator  node,  because  no  regular  node 
contains  a  subterm  g  h  where  h  contains  any  encrypted  sub¬ 
term. 

T  is  non-empty  because  (p,  1)  G  T.  Hence  T  has  a  min¬ 
imal  member  m  by  Lemma  2.6,  which  is  of  positive  sign  by 
Lemma  2.7.  Let  us  consider  what  kind  of  strand  m  can  lie 
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M,  F,  T,  K.  Clearly  a  minimal  member  of  T  cannot  lie  on 
these  strands. 

S.  If  gh  IZ  term(m),  where  m  is  a  positive  node  on  a 
strand  p'  of  kind  S,  then  g  h  IZ  term((p',  1)).  More¬ 
over,  (p1 , 1)  -<  m,  contradicting  the  minimality  of  m 
in  T. 

E.  If  gh  IZ  term(m),  where  m  is  a  positive  node  on  a 
strand  p'  of  kind  E,  then  g  h  IZ  term((p',  2)).  More¬ 
over,  (p\  2)  -<  in,  contradicting  the  minimality  of  m 
in  T. 

D.  If  gh  IZ  term(m),  where  m  is  a  positive  node  on  a 
strand  p'  of  kind  D,  then  gh  IZ  term((p',  2)).  More¬ 
over,  (p1 ,  2)  -<  in,  contradicting  the  minimality  of  m 
in  T. 

C.  Suppose  g  h  IZ  term(m),  where  m  is  a  positive  node  on 
a  strand  p'  of  kind  C,  and  m  is  minimal  in  T.  Then 
gh  =  term(m),  and  p'  has  trace  {— g,  —h,  +gh ). 
Hence,  term({p',l))  =  term(?r2)  and  ( p',1 )  -<  n-2, 
contradicting  the  minimality  of  n-2  in  S. 

Therefore  no  does  not  lie  on  a  penetrator  strand,  but  must 
lie  on  a  regular  strand  instead.  ■ 

Definition  4.5  Let  n-2  he  <- minimal  in  S  =  {n  G  C  :  Nb  C 
term(n)  A  Vo  term(n)},  and  therefore  regular  and  of  pos¬ 
itive  sign. 

We  show  next  that  the  strand  containing  no  also  has  a  node 
in  which  vq  (=  { Ay,  Ay,  B}ka)  occurs.  This  lemma  is  il¬ 
lustrated  in  Figure  2. 

Lemma  4.6  A  node  n\  precedes  n-2  on  the  same  regular 
strand  t,  and  term( m )  =  {  Wa  Ay,  B}ka  ■ 

PROOF.  Nb  originates  at  no  (Lemma  4.3),  and  originates 
uniquely  in  E  (Assumption  3).  Moreover,  no  ^  n0,  be¬ 
cause  Vo  IZ  term(no)  while  vq  term(no).  Hence,  Ni,  does 
not  originate  at  no .  So  there  is  a  node  n\  preceding  no  on 
the  same  strand  such  that  Nf,  IZ  term(ni).  By  the  minimal¬ 
ity  property  of  no,  {Na  Nf,  B} ka  C  term(ni).  However, 
as  no  regular  node  contains  an  encrypted  term  as  a  proper 
subterm,  {Ara  Nf,  B}ka  =  term(ni ).  ■ 

Lemma  4.7  The  regular  strand  t  containing  m  and  n 2  is 
an  initiator  strand,  and  is  contained  in  C. 

PROOF.  Node  no  is  a  positive  regular  node  and  comes  after 
a  node  (namely  n\ )  of  the  form  { :r  y  z}k-  Hence  t  is  an  ini¬ 
tiator  strand;  if  it  were  a  responder  strand,  it  would  contain 
only  a  negative  node  after  one  of  that  form.  Thus,  n\  and 
no  are  the  second  and  third  nodes  of  t  respectively.  Since 
the  last  node  of  t  is  contained  in  C,  all  previous  nodes  are 
also.  ■ 


{Na  A}Kb 


{Na  Nb  A}Ka 


(s,  1) 


n0 


n  1 


{NaNbA}KA 


n-2 


{Nb}KB 


n3 


Figure  2.  Node  m  Contains  v0 

Proof  of  Proposition  4.2.  Proposition  4.2  now  fol¬ 
lows  immediately  from  Lemmas  4.6  and  4.7.  ■ 

We  have  now  proved  the  non-injective  agreement  prop¬ 
erty  for  the  NSL  responder.  Injectivity  follows  easily  on  the 
assumption  that  the  initiator  chooses  his  value  Na  so  that  it 
uniquely  originates.  If  Na  is  not  uniquely  originating,  then 
the  injectivity  property  is  clearly  false. 

Proposition  4.8  If  E  is  an  NSL  space,  C  is  a  bundle,  and 
Na  is  uniquely  originating  in  E,  then  there  is  at  most  one 
strand  t  with  trace  InitjM,  B,  Na,  N if  for  any  A,  B,  and  Nb. 

PROOF.  If  any  strand  t  has  trace  Init[_4.  II.  Na,Nf  for  any 
.4,  B,  and  Nb,  then  { t ,  1)  is  positive,  Na  C  term(f,  1),  and 
Na  cannot  possibly  occur  earlier  on  t.  So  Na  originates  at 
node  ( t ,  1).  Hence,  if  Na  originates  uniquely  in  E,  there 
can  be  at  most  one  such  t.  ■ 

The  requirement  that  Na  and  A),  be  distinct  is  a  peculiar¬ 
ity  of  our  approach.  Without  this  assumption,  the  theorem 
is  false.  The  responder  strand 

(~{NaA}KB,  +{NaNaB}KA,  ~{Na}KB) 

can  be  embedded  in  a  bundle  C  in  which  Na  and  A  originate 
on  M-nodes,  and  the  final  term  {  Ay, }  is  generated  by  the 
penetrator  on  the  “off  chance”  that  B  will  reuse  the  given 
nonce  Na.  The  responder’s  nonce  Ay,  (=  Na)  does  origi¬ 
nate  uniquely  then;  however,  not  on  the  responder’s  strand, 
but  on  an  M-strand. 


In  a  probabilistic  model,  we  would  assume  that  the 
choice  of  Nb  is  independent  of  the  value  of  Na.  In  this 
case,  the  penetrator’s  strategy  will  succeed  sometimes,  but 
no  more  frequently  than  randomly  generating  the  bits  to  en¬ 
crypt  to  make  up  the  last  message.  Hence,  this  strategy  may 
be  safely  ignored. 

Thus,  our  strand  space  model  can  be  more  stringent  than 
a  faithful  probabilistic  model.  An  implementor  can  jus¬ 
tify  “cutting  corners,”  for  instance  by  not  programming  the 
check  for  Nb  =  Na ,  by  showing  in  the  probabilistic  model 
that  an  exploitation  strategy  has  negligible  probability  of 
success,  despite  existing  in  the  strand  space  model. 

4.3  The  Original  Needham-Schroeder  Protocol 

This  analysis  also  sheds  light  on  why  the  original 
Needham-Schroeder  protocol  would  be  vulnerable.  The 
analysis  is  exactly  parallel  except  that  the  Lemma  corre¬ 
sponding  to  Lemma  4.6  would  read: 

Lemma  4.9  In  the  original  Needham-Schroeder  protocol, 
a  node  n\  precedes  n 2  on  the  same  regular  strand  t,  and 
term(m )  =  {Na  Nb}KA . 

With  this  weaker  information,  we  can  not  conclude  that 
t  has  a  trace  of  the  form  Init [A,BfNaiNb\,  because 
the  responder’s  identity  is  not  determined  by  the  term 
{ Na  Nb}KA  >  which  is  all  that  we  know  s  and  t  agree  on.  We 
can  only  infer  that  t  has  trace  Init[A,  G,  ATa ,  Nb]  for  some  C. 
This  is  exactly  the  weakness  that  Lowe’s  attack  exploits. 

4.4  Secrecy:  The  Responder’s  Nonce 

We  may  use  the  same  methods  to  show  that  the  respon¬ 
der’s  nonce  Nb  remains  secret  in  the  protocol.  For  this  re¬ 
sult,  we  also  need  to  assume  that  the  responder’s  private  key 
is  not  compromised.  If  it  were,  the  penetrator  could  read  Nb 
directly  from  the  last  message  of  the  exchange. 

Proposition  4.10  Suppose: 

1.  E  is  an  NSL  space,  and  C  is  a  bundle  containing  a 
responder’ s  strand  s  with  trace  Respf.  l.  B,  Na,  Nb\; 

2.  K^1  f  K-v  and  K g1  IC-pi  and 

3.  Na  f  Nb  and  Nb  is  uniquely  originating  in  E. 

Then  for  all  nodes  m  G  C  such  that  Nb  C  term(m),  either 
{NaNbB}KA  C  term  (in)  or  {Ni,}kb  C  term(m).  In 
particular,  Nb  f  term(m). 

PROOF.  Let  E,  C.  s.  A,  B,  Na,  and  Nb  satisfy  the  hypothe¬ 
ses,  and,  as  in  Proposition  4.2,  we  will  again  refer  to  (s,  2) 
as  no,  and  to  its  term  {Na  Nb  B}ka  as  vq.  The  node  (s,  3) 


receives  the  value  { Nb }  ;  we  will  refer  to  this  node  as  n 3 

and  its  term  as  113 .  Consider  the  set: 

S  =  { n  G  C  :  Nb  c  term(n) 

A  vq  if  term(n)  A  v3  f  term(n)} 

If  S  is  non-empty,  then  it  has  at  least  one  A -minimal  ele¬ 
ment.  We  show  first  (Lemma  4.1 1)  that  such  nodes  are  not 
regular.  We  next  show  (Lemma  4. 12)  that  they  are  not  pen¬ 
etrator  nodes.  Therefore  S  is  empty,  and  the  theorem  holds. 

Lemma  4.11  No  minimal  member  of  S  is  a  regular  node. 

PROOF.  Suppose  instead  that  m  G  S  is  minimal  and  a  reg¬ 
ular  node.  The  sign  of  m  is  positive  by  Lemma  2.7. 

Node  to  cannot  lie  on  s:  Only  no  is  positive,  and  vq  = 
term(no),  so  no  is  not  in  S. 

Nor  can  m  lie  on  a  responder’s  strand  s'  /  s.  In  that 
case,  m  =  (s',  2),  so  term(m)  =  {N,N',C}kd-  Since 
Nb  C  term  (m),  either  Nb  =  N  or  Nb  =  N' . 

•  If  Nb  =  N,  Nb  C  term((s',  1)),  because  the  first  node 
(s',1)  is  {N,D}kc  =  {Nb,D}Kc-  Moreover,  d0  if 
{Nb,  D}Kc  and  v3  f  {Nh,  D } ,<r .  Hence  (s',  1)  G  S. 
Since  (s' ,  1)  Am,  this  contradicts  the  minimality  of 
m. 

•  If  Nb  ^  N  and  Nb  =  N',  then  Nb  originates  at 
m,  contradicting  the  assumption  that  Nb  originates 
uniquely  on  no . 

Suppose  next  that  m  lies  on  an  initiator  strand  s'.  It  must 
be  either  the  first  or  third  node. 

•  If  rn  =  (s' ,  1),  then  since  Nb  C  term(m),  Nb  origi¬ 
nates  at  m,  contradicting  the  assumption  that  Nb  orig¬ 
inates  uniquely  on  no . 

•  If  to  =  (s',  3),  then  term(m)  =  { Nb }  /,-r, .  So  the  sec¬ 
ond  node  (s' ,  2)  is  of  the  form  {x  Nb  G}k-  However, 
C  ^  B,  because  otherwise  v;>  =  term(m).  Hence 
(s' ,  2)  -<  to  is  in  S ,  contradicting  the  minimality  of  m. 

■ 

Lemma  4.12  No  minimal  member  of  S  is  a  penetrator 
node. 

Proof  Sketch.  The  proof  is  almost  identical  to  the  proof 
of  Lemma  4.4.  The  only  significant  difference  is  that  when 
the  penetrator  strand  is  of  type  D,  we  must  consider  two 
cases.  In  one  case,  h  =  Na  Nb  B  and  Kq  =  N  \,  which 
are  the  plaintext  and  key  that  produce  v(].  In  the  other  case, 
h  =  Nb  and  /\'0  =  K u,  which  are  the  plaintext  and  key  that 
produce  v3.  Hence,  we  must  apply  Proposition  3.3  to  each 
of  the  two  private  keys,  which  explains  the  need  to  assume 
both  uncompromised.  ■ 


9 


4.5  The  Initiator’s  Guarantees:  Secrecy  and 
Agreement 

The  proof  of  the  secrecy  of  the  initiator’s  nonce  Na  is 
very  similar  to  the  proof  we  have  just  given. 

Proposition  4.13  Suppose: 

1.  E  is  an  NSL  space,  and  C  is  a  bundle  containing  an 
initiator's  strand  s  with  trace  Init[A,  B ,  Ara,  JYj,]; 

2.  K^1  £  KL-p  and  Kfi1  ^  K'.-p ;  and 

3.  Na  is  uniquely  originating  in  E. 

Then  for  all  nodes  m  £  C  such  that  Na  IZ  term  (in ),  either 
{Ara  A} kb  C  term(m)  or  {Na  Nb  B}ka  C  term(m).  In 
particular,  Na  f  term(m). 

By  contrast,  the  initiator’s  guarantee  of  agreement  is  es¬ 
sentially  different.  In  particular,  it  requires  a  stronger  hy¬ 
pothesis  than  Proposition  4.2,  namely  that  both  private  keys 
K  j 1  and  Kg1  are  uncompromised.  Not  surprisingly,  if 
Kg1  £  Kp,  then  the  penetrator  can  complete  the  entire 
exchange  with  no  activity  on  B’s  part. 

Somewhat  more  surprising  is  this:  If  K  j 1  £  K-p,  then 
the  penetrator  can  read  B’s  reply  { Na  Nb  B}ka,  substitut¬ 
ing  a  different  reply  {Na  N1  B}ka-  This  attack  prevents 
us  from  proving  agreement  for  the  initiator  assuming  only 
that  the  responder’s  private  key  is  uncompromised.  Indeed, 
a  proof  approach  based  on  an  analogy  with  Proposition  4.2 
fails. 

However,  we  can  prove  an  agreement  theorem  using  the 
secrecy  of  Na  as  a  lemma. 

Proposition  4.14  Suppose: 

1.  E  is  an  NSL  space  and  C  is  a  bundle  containing  an 
initiator's  strand  s  with  trace  Init[,4.  B,  Na,  Nb\; 

2.  Kf 1  £  JC-p  and  Kg 1  ^  fC-p;  and 

3.  Na  is  uniquely  originating  in  E. 

Then  C  contains  the  first  two  nodes  of  a  responder’ s  strand 
t  with  trace  RespfA,  B,  Na,Nb ]• 

Proof  Sketch.  Consider  the  set  {to  £  C  : 
{Na  Nb  B}ka  C  term(TO)}.  It  is  non-empty  because  it 
contains  (s,  2).  So  it  contains  a  minimal  member  uiq.  If  too 
lies  on  a  regular  strand  t,  then  t  can  be  shown  to  have  trace 
Respf.l.  B.  Na,  Nb],  and  to  have  two  nodes  (at  least)  in  C. 

If  instead  too  lies  on  a  penetrator  strand  t,  then  t  can  be 
shown  to  be  an  E-strand  with  trace 

(~Ka,  ~Na  Nb  B,  +{Na  Nb  B}Ka  ) 

But  this  contradicts  Proposition  4.13,  which  implies  that  Na 
does  not  appear  in  the  form  shown  in  node  ft,  2). 


5  Discussion 

In  this  paper,  we  have  developed  a  new  framework  for 
proving  the  correctness  of  cryptographic  protocols,  and  we 
have  applied  it  to  the  Needham-Schroeder-Lowe  protocol. 

The  framework  allows  us  to  use  mathematically  straight¬ 
forward  methods  to  justify  protocols.  These  methods  pri¬ 
marily  exploit  two  partial  orderings,  namely  the  subterm  re¬ 
lation  C  between  terms  and  the  A  relation  between  nodes. 
Inductive  characteristics  of  the  A  ordering  are  proved  via  a 
least  element  principle.  Inductive  characteristics  of  the  C 
relation  can  also  be  exploited  [25,  26], 

Proofs  carried  out  in  the  strand  space  framework  turn  on 
detailed  protocol  behavior,  and  therefore  appear  more  reli¬ 
able  than  more  “conceptual”  proofs  such  as  proofs  in  belief 
logics  [3,  9],  Moreover,  the  proofs  are  intuitive  enough  that 
mere  mortals  can  carry  them  out  correctly  without  the  need 
for  mechanized  support. 

In  each  of  the  examples  we  have  studied,  as  documented 
in  [25],  we  have  discovered  new  information  about  the  con¬ 
ditions  under  which  the  protocol  is  correct.  We  have  found 
that: 

•  The  responder’s  agreement  guarantee  in  the  Needham- 
Schroeder-Lowe  protocol  holds  even  if  the  responder’s 
private  key  has  been  compromised.  By  contrast,  the 
initiator’s  agreement  guarantee  presupposes  that  nei¬ 
ther  the  initiator  nor  the  responder  has  had  his  private 
key  compromised  (Section  4.5). 

•  In  the  Otway-Rees  protocol,  even  if  both  the  responder 
and  the  initiator  receive  keys,  they  may  receive  differ¬ 
ent  keys.  This  is  essentially  due  to  Otway-Rees  estab¬ 
lishing  a  non-injective  sort  of  agreement  between  each 
principal  and  the  server. 

•  In  the  Yahalom  protocol,  if  there  are  multiple  trusted 
servers,  participants  may  play  the  role  of  a  server  as 
well  as  the  role  of  an  ordinary  participant,  so  long  as  a 
particular  symmetry  is  avoided.  Otherwise  attacks  are 
possible. 

Thus,  the  strand  space  approach  leads  to  a  precise  charac¬ 
terization  of  the  validity  of  the  protocols. 

Our  work  is  closely  related  to  Paulson’s  inductive  ap¬ 
proach  [21,  20,  22],  Paulson  models  a  protocol  as  a  set 
of  rules  for  extending  a  sequence  of  events;  some  of  these 
rules  represent  actions  by  legitimate  participants,  while  oth¬ 
ers  represent  actions  by  the  penetrator.  A  sequence  of  events 
generated  by  these  rules  corresponds  roughly  to  a  bundle. 
Paulson  expresses  authentication  goals  and  secrecy  goals  as 
properties  of  these  sequences,  which  he  can  then  prove  by 
induction  on  the  way  that  the  sequence  is  generated.  The 
general-purpose  theorem-proving  system  Isabelle  [  19]  pro¬ 
vides  mechanical  support  for  the  reasoning. 
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By  contrast,  our  approach  uses  a  partially  ordered  struc¬ 
ture,  the  bundle.  As  we  mentioned,  Lemma  2.6  is  in  effect 
an  induction  principle  on  the  partial  order  The  nodes 
in  the  bundle  are  organized  into  strands.  Naturally,  every 
bundle  may  be  linearized  into  an  event  sequence  in  at  least 
one  way,  while  any  event  sequence  determines  a  bundle. 

However,  we  think  there  are  two  advantages  to  our  ap¬ 
proach.  First,  the  bundle  contains  exactly  the  causally  rel¬ 
evant  information.  There  is  no  ordering  relation  between 
two  nodes  unless  the  causality  determined  by  the  basic  re¬ 
lations  — »  and  =>  requires  one,  and  this  simplifies  inductive 
arguments.  Second,  the  strand  captures  a  great  deal  of  in¬ 
formation.  A  particular  strand  may  be  known  to  have  nodes 
in  a  bundle  (e.g.  because  a  value  originates  uniquely  on  it). 
From  this  we  can  identify  the  whole  sequence  of  relevant 
actions  for  that  participant,  which  aids  in  isolating  the  exact 
agreement  properties  the  protocol  satisfies.  We  believe  this 
is  why  our  results  are  somewhat  sharper  than  others  in  the 
literature. 

The  strand  space  framework  can  also  be  used  in  other 
ways,  apart  from  being  used  simply  to  prove  a  protocol  cor¬ 
rect.  For  instance,  it  could  be  used  to  give  an  alternate  se¬ 
mantics  for  belief  logics,  whether  applied  to  cryptographic 
protocols  [3,  2]  or  distributed  systems  more  broadly  [10],  in 
contrast  to  the  more  usual  semantical  approaches  based  on 
sequences  of  events  or  states.  The  localization  that  the  no¬ 
tion  of  strand  offers  should  help  to  refine  and  sharpen  such 
models.  Alternatively,  results  about  authentication  proto¬ 
cols  proved  in  a  strand  space  context  can  be  imported  into 
the  more  usual  linear  models  by  linearizing  the  bundles. 
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